- SURFnet Step-up Authentication-as-a-Service: A study of the architecture and processes.
Attachments patterns rapport.*
The need for stronger forms of authentication is felt by Identity Providers (IdP) within the SURFconext federation. A business case analysis performed by SURFnet in Q2 2012 shows a clear need among SURFnet’s constituency to address this need by introducing a service in the SURFconext environment that offers strong authentication on top of the existing identity hosted by a user’s home institution. This report is a study of the architectural and procedural aspects of introducing such a service.
A number of current and near future use cases (described in Chapter 1) have emerged for which username/password is no longer sufficient. These use cases are in the areas of student information systems, administrative systems, and in collaborative research in which privacy sensitive and/or medical data is handled. The need for better authentication can be effectively addressed by introducing a SURFnet operated service (referred to as “SURFsure” in this report) offering technical and organisational assistance to the IdPs.
Handling different Levels of Assurance (LoA, the confidence relying parties can have in the authenticity of an identity) within a federation must be based on open and accepted standards. While some of these standards are still under development, it is already possible to make future-proof choices for standards defining the semantics and communication of the LoA. The SURFsure service architecture described in Chapter 2 supports the signaling of the LoA within the SURFconext federation while at the same time remaining loosely coupled to SURFconext.